GitHub Actions usage suggests unpinned zizmor version

[Turbo87]

https://docs.zizmor.sh/usage/#use-in-github-actions suggests to run uvx zizmor, which downloads the latest zizmor versions and runs it.

https://docs.zizmor.sh/audits/#unpinned-uses however explicitly suggests that all CI dependencies should be pinned to specific immutable versions (hashes in this case).

Shouldn't the former usage suggestion be modified to use a specific zizmor version?

Combined with https://docs.renovatebot.com/presets-customManagers/#custommanagersgithubactionsversions it might even make sense to extract a ZIZMOR_VERSION environment variable.

[Turbo87]

Example PR that implements it like this: rust-lang/crates.io#11203

[woodruffw]

Hey @Turbo87, thanks for opening an issue!

Yes, this should arguably be pinned -- the reason I haven't done that in the "default" workflow is because Dependabot doesn't make these kinds of "inline" updates easy, although it's good to see that it's possible with Renovate.

My plan for addressing this is to build out zizmor-action -- that'll include a version: input, which you can then pin and then (presumably) have Renovate update 🙂. That's still in alpha but it should work for most common use cases, if you feel like testing it! Otherwise I'll try and have a stable release done pretty soon.

docs.zizmor.sh/audits#unpinned-uses however explicitly suggests that all CI dependencies should be pinned to specific immutable versions (hashes in this case).

Technically this is only for uses: clauses, but you're right about the spirit of the rule 😅 -- I actually have a separate audit planned/scoped in #711 for detecting these kinds of patterns!

(There's some nuance with this -- uses: is arguably more serious since tags are fundamentally immutable, while something like uvx zizmor@1.7.0 is pseudo-immutable because PyPI itself is de facto immutable when it comes to release files. But patterns like uvx zizmor that contain no constrain should definitely be flagged.)

[woodruffw]

I've updated the docs here to recommend zizmor-action by default, which zizmor will then recommend for hash-pinning.

zizmor-action in turn will still use the latest release by default, but users will be able to pass e.g. version: "1.9.0" to pin to a specific version of zizmor (via the official Docker images).